Microsoft Security Essentials –“Here I Come To Save The Day”

imageOh, the embarrassment of it all! I haven’t had to deal with a malware issue (other than self infecting in AV product testing), for more than 2 years – until this past week. No big deal, except perhaps, for the way I got infected – that old, old, old, malware attack vector – an infected search engine result.

The manipulation of search engine results, exploiting legitimate pages, and the seeding of malicious websites among the top results returned by search engines in order to infect users with malware, continues to be a major threat to system security. And, why not? It bloody well works!

Over the years, I’ve written more than a few articles on search engine malware – the last – Search Engine Malware – The Same Old, Same Old – this past August.

From that article:

Here’s how the cyber crooks do it:

Cyber-crooks can exploit vulnerabilities on the server hosting the web page to insert an iFrame, (an HTML element which makes it possible to embed another HTML document inside the main document). The iFrame can then activate the download of malicious code.

When a potential victim visits one of these infected sites the likelihood of the downloading of malicious code onto the computer by exploiting existing vulnerabilities is high.

So there I was, happily bouncing along the Internet highway Googling a phrase I had read on another blog. Choosing the first Google return proved to be a very bad idea indeed, since I immediately stepped into an infected iFrame.

But thankfully, all was not lost – Microsoft Security Essentials (which incorporates antivirus, antispyware and rootkit protection), halted the malware – Trojan:JS/BlacoleRef.K – in its tracks!

image

So what’s the lesson here?

A couple really – AV settings are very important. In this case, as per the following screen shot – nothing moves into, or out of this machine, without being scanned. Microsoft Security Essentials makes it so simple – no esoteric choices.

image

The second lesson – a MOST important lesson – absolutely, positively, without fail, come hell or high water, ensure that AV definitions are updated at least daily. Preferably, more often.

You might be surprised to learn, that on the day I stumbled, while MSE recognized the intruder, the vast majority of AVs did not – as per the following VirusTotal report (partially reproduced here).

image

Since it was preposterous to assume that MSE had in fact eradicated the Trojan (paranoia has its upside don’t you know?    Smile), I then ran a full scan with Kaspersky Rescue Disk – a free Linux-based antimalware application (a live CD), which scans from the outside looking in. Malware generally can’t hide if it’s not running.

The result? The Kaspersky Rescue Disk scan was clean. MSE had in fact, sent Trojan:JS/BlacoleRef.K to malware hell. Yes!!

I suppose there’s one more lesson that can be dug out of this experience, and that is – those tech journalists who absolutely insist that “pay for” antimalware applications are superior to all free AVs (often, without ever having tested the damn product in real world conditions), should take a step back and reconsider their speculative approach to antimalware application ratings.

Worth repeating: Despite the fact that I’m provided with a free license for all the security applications I test (and then some), I have chosen to run with the following FREE  applications.

Microsoft Security Essentials (free) – an all-in-one antimalware application.

Immunet Protect – a free Cloud based companion antimalware application.

ThreatFire (free) – this application is built around a Host Intrusion Prevention System (HIPS), and behavior based blocking combination.

WinPatrol (free) – another HIPS application with considerable additional functionality. WinPatrol is the elder statesman of this application class and, it just keeps on getting better. A must have application.

PC Tools Firewall Plus (free) – PC Tools Firewall Plus is advanced Firewall technology designed for typical users, not just experts.  The “plus” refers to a HIPS component. Generally, if the ThreatFire HIPS component is triggered on my machine, PC Tools Firewall Plus is triggered as well.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

16 Comments

Filed under Anti-Malware Tools, Cyber Crime, downloads, Free Anti-malware Software, Freeware, Immunet Protect, Microsoft, Software, trojans, Windows Tips and Tools

16 responses to “Microsoft Security Essentials –“Here I Come To Save The Day”

  1. Thanks Bill for an interesting article

    My MSE settings tab looks different from yours ~ is it an old picture you’re using?

  2. Mal

    Hey Bill,
    Now there is a perfect example of a top AV in action. I’ve been using MSE for a while now, after your recomendation (think of Kungfu, Master Po and Grasshopper lol) and I just love how basic the settings are, no steep learning curve, just set it up, update regularly (three times a day for me) and you have superior protection.
    Cheers

    • Hey Mal,

      Yes, Grasshopper. 🙂

      The settings are the key, for sure. An average user shouldn’t have any problem working out the best setup – hopefully.

      Best,

      Bill

  3. Hey Bill,

    Glad to see MSE caught it and killed it. It’s nice to hear some real stories from real world situations rather than just relying on Antivirus Test Charts.

    I signed up to beta test the new version of MSE coming out soon.

    If I don’t talk to you Happy Thanksgiving to you….even if you are up north.

    • Hey TeX,

      Very cool! I hear the new version has some new features – no talk on what that means, yet.

      The same to you and your family – Happy Thanksgiving!

      Best,

      Bill

  4. Dave

    I have been with MSE since it’s beginning, and it has served me well. I also use ThreatFire, and PCTools Firewall. The three together are awesome. Good article Bill. Regards, Dave Curtis (Happy Thanksgiving).

  5. Eric

    Bill,

    This highlights the importance of a multi-layered approach. I like to run a complete Rescue Disk scan every few months just to be sure a system is not infected, even if my standard security tools do not see any issues. I like to also run Emsisoft’s malaware scan, which is quite fast and Malwarebytes at least once per week.

    With respect to the Rescue Disk, I think it is important to rotate because one product never catches everything.

    To every one in the United States, Happy Thanksgiving.

    • Hi Eric,

      A very nice approach to security scanning. I can see how that works quite well.

      I like your idea of rotating – no doubt about it, “one product never catches everything.”

      Have a wonderful Thanksgiving.

      Best,

      Bill

      • Eric

        Thank you. I recently read that MS was looking for beta testers for the latest iteration of MSE.

        Somewhat off-topic:

        1) Have you had an opportunity to look review or run the new Webroot SecureAnywhere product; and

        2) Would an iFrame injection trojan infect a browser that is running some sort of Flashblock extension.

        Thanks.

  6. I come across virus infected PC’s on a daily basis and after I clean up the infections I download one thing – Sandboxie, isolating your browser is a must because what your security products do not catch sandboxie will.Zero day malware is a real pain. I have never come across a piece of malware that can jump out of the sandbox and infect your PC but I admit that nothing is 100% safe but sandboxie is pretty damn close.Sanboxie is free and there is an alternative to sandboxie and that product is GeSwall, both products are FREE. I do recommend you use an antivirus product of your choice too along with a firewall and you will be good to go. Layered security is a must. Great article.

    • Hey Pedro,

      Totally agree – running virtualized on the Net is the way to go.

      As you pointed out, both Sandboxie and GeSwall are superb free applications which should be part of all users’ defenses.

      Great comment. Thank you.

      Bill